Ex-NSA Chief’s Anti-Hacker Patent Sparks Ethics QuestionsCarter Dougherty, Susan Decker and Chris Strohm
A 5-month-old company in Washington has developed what it calls groundbreaking technology to thwart cyber-attacks before they’ve been identified -- a significant advancement over current systems that react to known threats.
Trouble is, the founder of the company, Keith Alexander, headed the U.S. National Security Agency until March, and his plan to patent the technology is drawing criticism from people who say he’s profiting from work he did for the government.
Alexander, who recently offered cybersecurity services to a group of companies for hundreds of thousands of dollars a month, says he’s done nothing improper. The technology he’s developing doesn’t need to be submitted to the NSA for prior review because it’s distinct from what the agency is working on, he said.
“When the patents become visible to everybody, they will see the solution is a game changer and hugely different from what the NSA is looking at,” Alexander, a retired four-star general who also headed the U.S. Cyber Command while running the NSA, said in an interview.
Alexander’s new company, IronNet Cybersecurity, is forming as a wave of cyber-attacks has focused attention on computer security. JPMorgan Chase & Co. is investigating attacks that may have been aided by the Russian government, according to two people familiar with the probe. Home Depot Inc. said Sept. 8 hackers attacked its computer systems at U.S. and Canadian stores and the company is investigating whether consumer data was stolen, a revelation that sent its shares tumbling.
There was something “really fishy” about Alexander’s dash into the private sector, said Matthew Aid, author of books on the NSA and intelligence work, including “Intel Wars: The Secret History of the Fight Against Terror.”
“As head of Cyber Command he had to protect U.S. government networks,” Aid said in a phone interview. “He must have appreciated the immense profit potential in doing this work in the private sector.”
IronNet is working with lawyers to draft as many as 10 patent applications in which the NSA would have no stake. Alexander said the “real key” to the patents was a person who never worked for the agency.
“It all starts with one basic idea that we didn’t use at NSA and I didn’t come up with,” Alexander said. “I can’t claim credit.”
Alexander said IronNet began developing the new technology in April and its first tests were successful. It will take eight more months “before we’re ready to use” the idea, he said.
“Even if we get it successfully to work, it will take a while to get it implemented,” Alexander said.
Alexander said he hasn’t presented his post-NSA ideas for agency pre-clearance, since IronNet has taken “great pains” to ensure its work differs from NSA’s while he worked there.
Alexander said he has spoken to high-level officials at the agency and “they see all this stuff on the patents, they think it’s absurd, about me stealing from the NSA to go patent.”
“One of the top guys said, ‘Trust me, we know you’re not doing that,’” he said.
“For anybody at the NSA to say ‘Trust me’ is simply ludicrous at this point,” said Melanie Sloan, executive director of Citizens for Responsibility and Ethics in Washington, a nonprofit watchdog. “There is no question that at least this has the appearance of impropriety.”
Vanee Vines, a spokeswoman for the NSA, said that all employees sign a confidentiality agreement that imposes a lifetime obligation to submit publications -- including patent applications -- for pre-review.
“Publication of information that is unrelated to official activities and meets specified criteria is exempt from pre-publication review,” she wrote in an e-mail. She declined to comment specifically on Alexander’s activities.
IronNet earlier this year offered to join with another firm to provide cybersecurity expertise to the Securities Industry and Financial Markets Association, Wall Street’s largest lobby group, for $1 million a month, according to two people briefed on the discussions. Alexander disputed that figure and Liz Pierce, spokeswoman for the group, declined to comment.
Alexander said IronNet’s current fees for its own work are lower than what he was told was the going rate of $500,000 per month.
In addition to dispensing advice, IronNet is working with lawyers to draft as many as 10 patent applications that will include Alexander as co-inventor on one and “maybe a few others,” he said. A patent offers protection from copying by rivals. He declined to name the lead inventor on the technology they’re seeking to patent, saying it’s someone who didn’t previously work at NSA.
Generally, the U.S. presumes that if an invention is related to a person’s job -- say a researcher -- then the government is the owner, said Scott Felder, a patent lawyer with Wiley Rein in Washington, who specializes in intellectual property in defense contracts. Each department or agency has its own rules when it comes to ex-employees who start businesses similar to their old government jobs, Felder said.
“The basic rule is if there’s an invention, the government is going to get ownership if it’s done with government resources,” Felder said in an interview.
Even if the U.S. says it has ownership rights, Alexander might not be shut out, Felder said. Employees can strike some sort of deal for joint ownership. At the least, the person might get royalties from any licensing done by the government.
Applicants are required to state whether the government may have some rights to the invention, and the statement is based on the honor system, said Robert Stoll, a former patents commissioner at the U.S. Patent and Trademark Office and now a lawyer with Drinker Biddle in Washington.
“There is a perception that if he’s just five months out, he did conceive of it while he was there,” Stoll said.
“Let’s say he’s at the NSA, he sees things as they work,” Stoll said. “He saw problems and he’s conceived of solutions because he’s got nothing else to do now that he’s left the NSA.”
Stewart Baker, a former general counsel at NSA and now a lawyer at Steptoe & Johnson LLP, said Alexander could still profit from inventions even if a review determined they were related to his government work.
“It’s not like you end up out in the cold if you invented something on NSA’s time,” Baker said in an interview.
Even if IronNet never gets any patents, or the government claims ownership, the phrases “patented invention” or “patent pending” can be a great marketing tool, Felder said.
The average patent application takes almost 28 months to complete, with computer-related patents often taking longer, according to Patent and Trademark Office data.
By law, all patent applications are made public after 18 months except in special circumstances, and all patents are public from the day they are issued.
IronNet, Alexander said, will offer a novel defense against “zero-day” attacks, a type of hacking that exploits previously unknown flaws in network security. The label comes from the fact that, with no warning, the target has zero days to protect systems from attack.
Current cybersecurity strategies assume the defender knows what threats are present, and can quickly identify them by their digital profile, known as their signature. Alexander said IronNet’s approach is to counter those attacks as quickly as possible, without that prior knowledge.
“All the patents and stuff that people work on today assume knowledge of the threat,” he said. “What it means is a new approach. Something that’s never been used.”
Alexander said he is listed as a co-inventor on three other pending applications and four in the works through NSA. The agency would own those outright, and IronNet could use the inventions only by getting a license from the agency, he said.
The company will open offices outside Washington in Tysons Corner, Virginia, and Fort Meade, Maryland, where NSA has headquarters. There are a lot of “retirees” from NSA in that area who might work for the company, Alexander said. He wouldn’t name the lead inventor of the new technology.
Alexander said some of the ideas IronNet has developed will remain a trade secret, which would allow the company to keep them out of the public domain.
“We’re having that debate -- how much do you reveal in the patent and how much do you keep secret for the good of the country?” Alexander said.